Confusion regarding AppVerifier

inoigjig

I tried to use AppVerifier to examine the checksum of FlorisBoard downloaded directly from the corresponding GitHub repository. The repository provides an additional .txt file with the SHA256 hash.

If I calculate the SHA256 hash of the FlorisBoard-APK on my Mac then it is identical to the SHA256 hash provided with the .txt file. However, if I use AppVerifier the calculated hash doesn't match the checksum from the .txt file.

What am I doing wrong? What sort of hash does AppVerifier calculate?

fid02

inoigjig Appverifier displays signing certificate hashes, not sha256 checksums: https://github.com/soupslurpr/AppVerifier?tab=readme-ov-file#appverifier

inoigjig

Ah, thanks for your help! In the case of FlorisBoard, how do I obtain the signing certificate hash? (But also for all other apps)

thure

In general you need to find the signing certificate hash published somewhere by the developers. Like DAVx⁵ does for example.

Unfortunately this is not always the case, like it is with FlorisBoard. There is an open issue on Github for FlorisBoard and maybe the signing certificate hash will get published in the future.

There's also a thread in this forum that shares hashes, but those hashes are less reliable as they aren't published by the developers.